Unlock Legal Advice

Privacy Law & Technology in the UK - Rights, Responsibilities & Risks

As a result of technological innovation we are now documenting more and more of our lives through the use of smart phones, and uploading these pictures and videos onto platforms that exist on the internet. This has greatly enhanced the convenience with which we go about our business, allowing us to capture moments with family and friends effortlessly and without the need of cumbersome technology.

Modern Technology & Increasing Breaches of Privacy IN THE uk

However this increase in the use of technology has resulted in a heightened threat to the privacy of members of the public. Increasingly in the media there are reports of how various celebrities have suffered violations of their privacy, with videos and pictures of them being leaked and finding their way into the hands of journalists.

These breaches of privacy have caused organisations operating storage facilities online to reconsider the security measures that they implement to protect their users data, pictures and videos. Technology has a habit of outrunning company policies and security systems. It is very important that you understand what the current rules are regarding privacy, and how breaches of these rules have been and can be dealt with. See here for more guides regarding Privacy Law.

What is Privacy?

Privacy is a very important concept for everyone, and is fairly well understood. No one wants to see any of their personal or private information disclosed to an unauthorised party. Your private life is fairly easy to protect within the confines of your home, but it can become tricky to guard against unwanted attention when it moves beyond those boundaries.

How is Privacy protected?

As a concept in the UK, and Europe more broadly, Privacy is very heavily regulated. Any individual or organisation that holds or gathers information on someone must comply with fairly stringent requirements under various pieces of legislation. Arguably the most famous piece of legislation in this area is the Human Rights Act 1998, which incorporated the European Convention on Human Rights in UK law. Under the Convention everyone has the right to ‘respect for private and family life, his home life and his correspondence’.

In terms of the regulation of technology and the preservation of privacy, the Data Protection Act (DPA) 1998 is the most relevant piece of legislation. The rules set down in the Act are varied, but the general ambit of the legislation is that anyone who holds personal information on another individual will only do so for the requisite purpose and length of time. This information must also be kept secure.

Businesses that offer a service where personal information can be stored online by their customers or account holders will operate a Privacy Policy that observes the laws in the country that they are operating in. This policy will attempt to keep personal information stored online safe, and prevent access to unauthorised individuals.

Why has Privacy been in the media recently?

Recent months have seen the media report on a number of instances where personal pictures and videos of celebrities have found their way into the public domain. A number of individuals including Rihanna, Jennifer Lawrence, Jessica Brown and Emma Watson have all complained that private pictures of them had been leaked on the internet.

These complaints all largely revolved around the hacking of personal accounts that were connected to Apple’s iCloud service, which stores photographs and video content online for account holders.

What are the issues with Technology?

It is important to understand that the concerns regarding the hacking of internet storage facilities have been a major issue for a number of years. However this has not stopped an ever increasing number of organisations offering online storage services across a variety of platforms e.g. smart phones, laptops, tablets etc.

Unfortunately no technology is, as of yet, completely safe from invasion by hackers. The Apple iCloud service is no different and has suffered a series of sustained attacks by professional hackers recently.

The service uses many of the same security features that are common to most websites that allow users to store personal information online. There are a series of security questions which must be answered, alongside the provision of an email address and password to login to the platform.

Industry experts claimed that iCloud was likely accessed by brute force. Reports suggested that this involved professional hackers mounting multiple attacks on a service by inputting several guessed login details simultaneously on multiple platforms. Apple has denied any suggestion that there was any flaw in its technology that could have allowed access to users’ personal data.

The leaking of famous users’ personal information was so damaging that Apple’s CEO wrote in an open letter to customers and service users, explaining how their personal information is handled by the company. Furthermore Apple is reported to have increased its security measures in policing attempts to hack into user’s personal accounts on Apple’s products. Apple was also very clear in stating that it did not work in partnership with Government or outside agencies in creating their security systems.

How does this affect me?

The hacking of personal information is a risk that all users of online storage facilities are exposed to. If you use an online storage facility e.g. iTunes or even a social media profile e.g. Facebook, Instagram, Twitter etc you run the risk of having your images or personal data hacked.

As users of online storage facilities we are all required to be very careful in what information we store online. There are safety features that users can take advantage of in operating accounts e.g. set a social media profile to ‘private’ to guard against unwanted attention. However this does not address the risk of a ‘private’ profile being hacked.

What do hackers do?

Hackers are individuals or groups of individuals that use technology to gain unauthorized access to information. They are ultimately attempting to ‘break in’ to a computer programme and copy the information that is contained to be used elsewhere.

Hackers will attempt to access confidential information i.e. information they would otherwise not see for any number of reasons. Some instances of the most famous instances of hacking have related to US Government defence programmes, and been defended as accidents. Hackers may well be employed to break in to computer programmes in exchange for payment. This is particularly prevalent in the media industry, where hackers may gain access to internet accounts of celebrities or television stars, copy the video and pictures that they uncover and sell these on to newspapers and websites for distribution.

In some instances, individuals may engage in hacking simply due to their own personal or political views of an organisation or government.

Hackers tend to be very sophisticated computer programmers who are very familiar with the mechanics of online storage systems.

What can I do to avoid hacking?

In the first instance it is advisable to create a username and password that is unique, and something which would not be the obvious choice e.g. date of birth, name etc. Storage facility providers always remind their users to store their usernames and passwords in a safe place. Furthermore it is also a good idea to change usernames and passwords on a regular basis. Accounts that are left unaltered for a period of time run an increased risk of being successfully hacked.

It would also be advisable to install a firewall or virus-checking software on your technology i.e. laptop or PC. A firewall is designed to ensure that other internet users are kept away from the data stored on your computer. Organisations that store individuals’ data will operate their own firewalls around this software to prevent hackers from gaining access to their systems. They should also guard against any unwanted viruses appearing in your computer. However it should be noted that hackers can break through firewalls, which is why there is often a need for additional safety features.

Another important step that individuals can take in protecting their pictures and videos that are stored online, is to use anti-spyware technology. ‘Spyware’ is a term that describes programs that are designed to monitor your activities when you user your computer. Few intentionally download this technology onto their computer, as it is often a component of other software more commonly used e.g. games, media files etc. This technology can store your passwords for online services and relay this back to hackers and fraudsters. Downloading anti-spyware programmes protect you from this, and are generally freely available.

It is impossible to predict if an account will be hacked. If someone is well known in the media then it is arguable that they are at an increased risk of having their online presence investigated by hackers for payment. Generally people needn’t be overly concerned about the risk of hacking, but would be wise not to be careless in how they protect their online information.

What if my account is hacked and information is leaked?

If you are concerned that your online account has been hacked, it would be advisable to contact your service provider and provide details your concerns. You will normally be required to provide any details that you have of the hacking. This may be useful in identifying the business’s breach of its privacy policy.

If you find that your personal information has been displayed on websites without your permission, an alternative or additional route that you could pursue, in addition to complaining to your service provider is to complain to a regulator.

Complaints about an organisation

In the UK there is a specialised agency that oversees businesses’ compliance with the Data Protection Act, and who can be contacted if there is a belief that obligations have not been observed.

In the UK it is the Information Commissioner (ICO) that will deal with concerns regarding a breach of the legislation. If you believe that a business has breached the Data Protection Act and allowed personal information of yours to be passed on without your permission, or has not taken adequate steps to protect your personal information, you can complain to the Information Commissioner.

In the UK the Information Commissioners has a number of powers that can be used to deal with alleged breaches of the legislation. The powers of the ICO include:

Monetary Penalties

The ICO has the power to issue penalties up to £500,000 against organisations that commit serious breaches of the DPA. This can include instances where organisations have failed to keep personal data of service users safe.

Undertakings

In an attempt to address an organisation’s failure to observe the terms of the DPA, the ICO can set out a series of steps called ‘undertakings’ that will require the organisation to implement certain practices and procedures to ensure that they are in full compliance with the terms of the Act.

Enforcement Notices

If an organisation is found to be breaching the law i.e. it is still breaching the law at the moment by not protecting information as it should, the ICO can issue an ‘Enforcement Notice’. These vary in their content but can include ‘stop now’ orders to prevent organisations from continuing their actions or ‘refrain from acting’ orders to prevent future actions which could breach the legislation.

Criminal Prosecutions

This is arguably the highest punishment the ICO can pursue against a business for breaching the DPA. These prosecutions will vary in their substance but will ultimately involve businesses that have breached the DPA i.e. failed to protect information, given access to information without consent or held information for longer than otherwise would have been intended. Most of the criminal prosecutions launched by the ICO, if successful, will result in a financial penalty on the guilty party.

Complaints about an individual

In many situations organisations will not be to blame for the hacking of web based personal accounts. Increasingly individual hackers, and groups of hackers have increased their attacks on privately held internet based storage services e.g. Apple’s iCloud but the company has not breached any laws or privacy policy. In that situation it is an individual that is to blame.

It can be very difficult to identify an individual hacker. In this situation it would be advisable to contact your service provider and notify them of your pictures having been leaked. These occasions tend not to be isolated and will be one of many attacks on several accounts on a particular storage service. A service provider will normally ingather all of the information from their customers, and working alongside regulatory bodies e.g. Information Commissioner bring a criminal or civil claim against the individual concerned.

Identifying individual hackers can be a very complex and lengthy process which often involves business, regulators and the police working together to identify an individual. When individuals are caught they will likely be prosecuted under the DPA or accompanying legislation.

Compensation

It is not uncommon when dealing with instances of hacking, whether this is by an organisation or individual, that people may wonder whether or not they are entitled to any level of financial compensation.

Under the DPA an individual will only be entitled to compensation where there is evidence that they have suffered ‘damage’. Unfortunately the Act does not define what ‘damage’ means but as a matter of policy, individuals who are able to demonstrate some degree of financial loss owing to suffering their online account being hacked, is likely to be entitled to compensation.

In most instances however it is the case that individuals do not suffer financial loss. Generally most people will suffer a degree of emotional distress where their online account has been hacked. They may be very angry to find that their personal pictures or videos are publicly available, but owing to a lack of financial loss, it is unlikely that any compensation will be offered for ‘distress’ alone. However if it is possible to identify any degree of financial loss, the level of compensation that will be awarded will likely reflect the level of emotional distress that was suffered.

Key points REGARDING YOUR RIGHTS TO PRIVACY wITH mODERN tECHNOLOGY IN THE uk

Information stored online is vulnerable to being hacked

It is your responsibility to take reasonable steps to protect your information

Organisations that store your information must keep it secure

The Data Protection Act is the most relevant legislation regarding online privacy in the UK

Criminal penalties do exist for breaches of the legislation

Simple steps can reduce the risk of personal accounts being hacked

Nothing in this guide is intended to constitute legal advice and you are strongly advised to seek legal advice on matters that affect you.